Fuck You, Dropbox!

Dropbox will become unusable for me in November.
There is no way I'll not use encryption on my laptops, so bye & bye and fuck off.
Back to local external HDD and custom made scripts to sync stuff between boxes.
What a fucking piece of shit move, man.

Links:

• Dropbox Is Dropping Support For All Linux File Systems Except Unencrypted Ext4

• Dropbox client warns me that it'll stop syncing in Nov, why?

No Internet, No Life

Spotty or directly no internet at home since yesterday afternoon.
My guess, the same thing that happened in 2011.
Will see, come Monday the Internet Company will drop by to check things out.

Patching For The Inevitable

Installed a new firmware on the router at chez Oesediez today.
No doubt it is already old & owned even before I installed it.

New Router (Now With DHCP!)

So, last December, my WBR-2310 router died, forcing me to go back to the D-Link DIR-601, which was already, really, really beat-up and performing not so well.
A new router was in order, almost mandatory, and the chosen one was a Netgear WNR2000v5.
Configured to spec even during the holidays, withouth the actual LAN to test it, and replaced the aging D-Link DIR-601 without any issue once I got home.
The main difference with the prior setup was that I had to move my LAN setup to DHCP, in order to be able to use the Roku, but then again, using the DHCP reservations proved to work A Ok so far, so I didn't even change the fixed IP addresses of all the boxes on the LAN.

Super Dynamic G WiFi Spot

Last night my house WiFi router (a D-Link WBR-2310) decided to stop working.
So, connected to it via Ethernet cable everything seemed to work A Ok, just the WiFi went South.
Switched the Super G Mode to Dynamic With Turbo, and presto, the WiFi popped to life and has been working great ever since...

D-Link DIR-601 & SIP problems

Last Friday got a new WiFi router, everything went really smooth when I switched routers, except for one thing, my SIP phone wasn't working.
I have a nice and really cheap Budge Tone 201, and after changing routers it stopped working, I was able to register via SIP to the Asterisk server with the Budge Tone, but I didn't hear anything once I made a call, nor the other party could hear me at all.
The Linux SIP softphone Ekiga -executed from my Ubuntu laptop- did work Ok, tho.

Upgraded the firmware from version:

Current Firmware Version  :  1.00NA
Current Firmware Date  :  Mon, 05 Oct 2009

To version:

Current Firmware Version :  1.02NA
Current Firmware Date :  Thu, 25 Nov 2010

Now the Budge Tone works A Ok and things seems to be just fine.

Extra packages on Endian 2.4.1 (1)

A couple of extra RPMs I have been installing latelly on this brand new UTM box.

http://archives.fedoraproject.org/pub/archive/fedora/linux/core/3/i386/os/Fedora/RPMS/info-4.7-5.i386.rpm
http://archives.fedoraproject.org/pub/archive/fedora/linux/core/3/i386/os/Fedora/RPMS/wget-1.9.1-17.i386.rpm
http://packages.sw.be/iftop/iftop-0.16-0.2.el4.rf.i386.rpm

All of these installed without any problem via

rpm -ivh

PF Sense setup (II)

A little package to show (in real time) the bandwidth use on the PF Sense firewall.
It is called "rate", and it is available from the "Available Packages" menu entry.

This package adds a table of realtime bandwidth usage by IP address to Status -> Traffic Graphs

PF Sense setup (I)

Will try to keep a journal (daily, hopefully) of what I'm doing on the PF setup.

Today got the OpenVPN up & running; it way more complex than doing so if you run, say, Endian, as your router/ firewall/ UTM solution; but once it is up and running, it seems, it feels more robust.
By far, the greatest PITA is setting up the PKI files.

This is the openvpn line to connect as client, for the moment, at least:

sudo openvpn --client --pull --comp-lzo --nobind --dev tun \
--ca ~/ca.crt --cert ~/certificate.crt --key ~/key.key \
--remote my.pf-sense.router --proto tcp

Install iftop on the Endian Firewall

I love iftop, it is the answer, the inmediate answer, to the most asked question "who the fuck is turning the network to molases".
So after reading this Install VMWareTools On Endian Firewall Community 2.2 RC3, I decided to try and install some RPM extras on the firewall.

So, I got the iftop RPM package from DAG, this one:

http://dag.wieers.com/rpm/packages/iftop/iftop-0.16-0.1.fc3.rf.i386.rpm

Setup things a bit tidy on the Endian:

~ # mkdir local.rpms
~ # cd local.rpms/

And then used wget, that I already installed using the instructions from the first link, downloaded the RPM, and tested if I could install it or if there was a dependency:

~ # rpm --test -ivh iftop-0.16-0.1.fc3.rf.i386.rpm
warning: iftop-0.16-0.1.fc3.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]

No dependencies, everything went A Ok, so simply install and enjoy:

~ # rpm -ivh iftop-0.16-0.1.fc3.rf.i386.rpm 
warning: iftop-0.16-0.1.fc3.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing...                ########################################### [100%]
   1:iftop                  ########################################### [100%]

Endian: Transparent Proxy on Green (make it work)

These last few days have been really busy, I'm currently migrating one of the office network setups to a UTM solution.
I'm installing and testing the Community (that is the free and unsupported ;) ) edition of the Endian Firewall.

Had a lot of problems to get the built in proxy Squid to get up and running in transparent mode, whatever I tried, it always belched this error message while trying to browse any page:

Sorry, you are not currently allowed to request:
<...Some website URL here...>
from this cache until you have authenticated yourself.

This request could not be forwarded to the origin server or to any                               
parent caches. The most likely cause for this error is that:                                  
The cache administrator does not allow this cache to make direct connections to origin servers, and              
All configured parent caches are currently unreachable.                            

Transparent mode, on the Green interface is the Holy Grail, no setup on any client at all, all the HTTP traffic goes thru the Proxy, and whatever limit or filter you wish to apply on it, but, after a default install, it refused to let the clients reach the internet, a real and major PITA.

Googled like a MF and read just about what ever I can get my hands on, even rebooted the Endian Firewall box, just to see if that would work.
In the end, found the solution, and I'm posting hoping someone might find it interesting as well.

To enable it, goto Proxy, after enabling it, set transparent for Green, Save an reinit, and then goto the 'Defautl Policy' tab, and click on "Create a rule", and set it like on the screenshot.

Authentication on transparent proxy?? RESOLVED! - Lots of hope on this one, but nothing
The requested URL could not be retrieved - Lots of hope on this one, but nothing
Beta 2.2 "Content Filter": msg#00010 - This is the closest
SOLVED [Fwd: Help with AV y Content Filter]
Proxy no longer allows access
Squid/DansGuardian not functioning together for "Standard" users.
Content Filter does not start when enabled so proxy denies access to all web pages

Editing ufw order

One thing I noticed about the Ubuntu Firewall, or the Uncomplicated Firewall is that it adds new rules to the bottom of the existing ones by default, and that there is no way -at least I didn't found one- of flushing or zeroing the rules, and reloading from the CLI, in order to reload the new ones.

What I did to change the order of the rules is edit the file

'/var/lib/ufw/user.rules'

arrange the rules the way I want them -the more general ones on top, for instance- and then, issue a:

sudo ufw reload

In order to clear the rules, and reload (doh!) them in the new order as defined on the newly edited 'user.rules' file.

Bloody Mary

A couple of links for a Linux distributions aimed to be used on plain vanilla WiFi routers, the SOHO kind, perhaps, actually, more of the 'HO' side than the 'SO' side.

Turn Your $60 Router into a User-Friendly Super-Router with Tomato
Tomato Firmware

The fire hazard continues...

I have to get things organized here, before a fire burns down the place...
There are a couple of things less than in this picture, but still it is a effing mess.
BTW, on the left, that's Judith, and barely making it on the picture, on the right, that's Thor, hanging on, as usual.
I am totally amazed at the amount of sh*t Judith can handle, OpenBSD really rocks on older hardware, if I did rebooted it, was due to some other problems, but so far, nothing to do with the box itself.

PF traffic shaping

Being doing some research to enable traffic shaping, even tho, I have only one box, powered on 24x7 behind the OpenBSD firewall/ router, I want to learn more about it.
Here are a couple of links I have gathered while Googling on the matter:

- Prioritizing empty TCP ACKs with pf and ALTQ
- A brief introduction to altq
- Why do clients running BitTorrent make my router's latency go through the roof?

PF: Going a little farther & tighter

As I said before I have installed an OpenBSD box on my LAN, to work as firewall, for the setup and rules, I have used one of the built-in example scripts supplied with the distro, the one called 'faq-example1', there are many other examples listed on the same OpenBSD installed box, under the '/usr/share/pf/' directory; or you can take a look at it on this page: Firewall for Home or Small Office.
What this sample script does exactly is this:

In this example, PF is running on an OpenBSD machine acting as a firewall and NAT gateway for a small network in a home or office. The overall objective is to provide Internet access to the network and to allow limited access to the firewall machine from the Internet, and expose an internal web server to the external Internet.

The thing is, I don't want to serve any site from my LAN, and also, I don't want the SSH port to be open to the public internet... So I have modified the script, to close those things up.
Here is a copy of how the edited file looks like:

# macros
ext_if="ne3"
int_if="dc0"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# filter rules
block in

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state


After editing and saving it, execute this, to make it active:

sudo pfctl -f /etc/pf.conf


This will block anything & everything coming from the outside, except for ping, which you'll get a reply from the external, the public, IP address of the OpenBSD's server; you can certainly close that as well, but I like to be able to know from any location if my ISP is working or not.

So long Belkin and thanks for all the airwaves

My beloved and trusty (so far) Belkin wireless router died today, it got fried when plugged to 220V, it runs on 110V...
So, it was an excellent opportunity to get my newly built incarnation of Goliath, as the main router and firewall for the setup.
It wasn't that hard to setup, it might have taken me a couple of hours, right now Goliath is working as the firewall, DHCP server, caching DNS server & NTPD server.
On top of that, since that box has a huge 80 GB drive on it, I'm using it to download BitTorrents, right now I'm running 6 torrents, on 6 screens, and the load of the OpenBSD barely scratches 1 dot something. I love this OpenBSD stuff! Specially how things are geared towards "getting things done", no bullshit, simple results, as an example, the explanation on how to make your OpenBSD box onto a DHCP Server is amazing, is somehow like a haiku.

For the whole setup, used the FAQs on the OpenBSD site, the firewall at the moment is the plain vanilla example for the Firewall for Home or Small Office, the DNS server setup, a caching only one, it is like the setup of a regular one, except that Bind does not server any zone, but the built-in ones.

iftop running on Terminal

Not really Os X, but, hey it is running inside a Terminal window!
The output comes from an IpCop box